In the past, there was a standard procedure used by support before restoring access to an account in this situation. I believe this was extremely time consuming from a support viewpoint, and they now want you to use a recovery tool. https://www.fastmail.com/help/account/recovery.html. If you have tried the recovery tool, and cannot use it to regain access, you may be out of luck. I would suggest opening a support ticket explaining the situation, and see if they are sympathetic enough to help. Even if they are, you will need to be able to prove to their satisfaction that you are not engaged in a phishing attempt.

Did your friend save their account's Master Recovery Code? Aside from 2FA options, which you noted are no longer valid, that MRC (or however it's actually termed) is meant for these kinds of situations.

Did your friend save their account's Master Recovery Code? Aside from 2FA options, which you noted are no longer valid, that MRC (or however it's actually termed) is meant for these kinds of situations.

Yes, this is the best method in such a case. Itís called the Recovery Code and you can see it on the Settings>Passwords & Security>Account Recovery section, below the recovery phone and recovery email area.